Rewterz Threat Alert – Predator The Thief Malware – IoCs
December 30, 2019Rewterz Threat Alert – Zeppelin: Russian Ransomware Targets High Profile Users
December 31, 2019Severity
Medium
Analysis Summary
Email templates based on the Portuguese Government Finance & Tax are being used to push Lampion malware via malspam. Portuguese users were targeted with these emails that reported issues related to a debt of the year 2018. When the victim clicks on the links available in the email body the malware is downloaded from the online server. The downloaded file is a compressed file (.zip) called: FacturaNovembro-4492154-2019-10_8.zip.
As observed, after extracting the file, three files are presented.
The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.
The trojan Lampion uses anti-debug and anti-vm techniques. The use of a commercial protector known as VMProtector 3.x and also specially crafted codes make it difficult to analyze both on a sandbox environment or manually.
Impact
Exposure of sensitive information
Indicators of Compromise
MD5
- 3350e74a4cfa020f9b256194eae25c12
- e7bdce5505ee263530dea04c2fdc661f
- 18977c78983d5e3f59531bd6654ad20f
- 76eed98b40db9ad3dc1b10c80e957ba1
SHA-256
- 418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047
- f7a7a5144e72e83d4a12c9abc2a6a2875a23e6adce425fde2428b8f7b46b1a7e
- eb3f2be571bb6b93ee2e0b6180c419e9febfdb65759244ea04488be7c6f5c4e2
- 54b6af48991c5c03a5a905eeb5d922eef86678b2bfc3f77d784b3d91691837e1
URL
http[:]//100.26.189[.]49/PY/App[.]php?=5wzpz2e7xglkzmh
Remediation
- Block the threat indicators at their respective controls.
- Strictly avoid clicking on URLs found in untrusted emails.
- Do not download files from untrusted emails or random sources on the internet.